Re: [exim] Use of P0f

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMDave Evans at <-
MMMW B Hacker at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: W B Hacker
CC: exim users
Subject: Re: [exim] Use of P0f
On 2009-05-13 at 23:16 +0800, W B Hacker wrote:
> In another thread covering greylisting, Mike Cardwell posted that greylisting
> could be skipped when (among other entries):
>
> > 2.) If P0F detects the connecting host to be non-Windows (Used P0F for this)
>
> Which sounded interesting, so....
>
> Using p0f with the barest of directives:

An alternative which I've been using since 2008-04-27 is to use the pf
packet filter (I run FreeBSD) to detect the OS and redirect connections
from Windows to port 26 and have Exim use local port stuff in exim.conf.
More lightweight than Perl (which is somewhat more heavyweight than
dnsdb).

/etc/pf.conf contains
----------------------------8< cut here >8------------------------------
bad_os_list="Windows"
# and all_ifs, main_if, main_service_ipv4 and main_service_ipv6_mx as
# appropriate 

#...
rdr on $main_if inet proto tcp from any os $bad_os_list to (self) port 25 \
        tag BADOS -> $main_service_ipv4 port 26
rdr on $main_if inet6 proto tcp from any os $bad_os_list to (self) port 25 \
        tag BADOS -> $main_service_ipv6_mx port 26
#...
pass in  on $all_ifs proto tcp tagged BADOS flags S/SA keep state \
        label "BAD OS $If"
----------------------------8< cut here >8------------------------------


/etc/exim/exim.conf 
----------------------------8< cut here >8------------------------------
INBOUND_MTA_BADOS=26
#...
acl_smtp_connect = acl_connect
#
acl_connect:
  warn    set acl_c_bados = no
  #...
  accept  hosts = *
          condition = ${if =={$received_port}{INBOUND_MTA_BADOS}}
          set acl_c_bados = yes
          delay = 7s
  #...
#
acl_check_rcpt:
  #...
  warn    condition     = $acl_c_bados
          add_header    = :at_start:X-Filter-BadOS: true [$sender_host_address]
          logwrite      = Sender host [$sender_host_address] is a bad OS
  #...
----------------------------8< cut here >8------------------------------


*cough*

For any legally inclined folks reading this, please note that "bad OS"
is a descriptive label applied to describe local policy on which OSes
are considered desirable for running an MTA or sending mail directly to
my system and is not a description of the quality of the OS.

Looking in my Spam folder (stuff which gets past RBLs), 28% of the mails
therein have the X-Filter-BadOS: header.

Regards,
-Phil

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Use of P0fRe: [exim] Use of P0f->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)